File encryption for zfs

[PrincePaul]

It would be great if FreeNAS 8 gets a data encryption for zfs.
similar to freenas 7

regards
PrincePaul

 

[cyberjock]

/facepalm

Do you really think nobody has thought of that already? If you read the manual you will know precisely why it's NOT supported. And at the present, it's pretty much not feasible. I wouldn't count on seeing encryption for at least 18 months, if ever.

 

[PrincePaul]

?

encrypting works link

but only "handmade"

do you have a link to this: "the manual you will know precisely why it's NOT supported"

 

[Stephens]

do you have a link to this: "the manual you will know precisely why it's NOT supported"

How did you know how to set up FreeNAS if you've never read the manual? FreeNAS Documentation/Manual

 

[cyberjock]

How did you know how to set up FreeNAS if you've never read the manual? FreeNAS Documentation/Manual

/morefacepalm

 

[PrincePaul]

WTF

encryption:
Oracle has not released as open source....


I read the manual but i dont read the zfs Feature List/Version List

But there must be a other Solution without Oracle

 

[cyberjock]

WTF

encryption:
Oracle has not released as open source....


I read the manual but i dont read the zfs Feature List/Version List

But there must be a other Solution without Oracle

There is...the alternative is to use the handmade encryption you linked.

Check out https://support.freenas.org/ticket/119 for a little bit of discussion in a ticket that is open for encryption. The options are rather limited at the present.... and for the forseeable future. :(

 

[paleoN]

But there must be a other Solution without Oracle

Looks like GELI full disk encryption might make it into 8.3.0. They just added some BETA code to trunk.

 

[cyberjock]

I'd be curious to know how secure it is from a cryptoanalysts perspective. I know alot of encryption programs have had oopsies with their implementation of encryption and made cracking the key within seconds possible. I think truecrypt had a vulnerabilities years ago(pre-2007 I think) that made guessing the key significantly easier with brute-force due to a bug in the software. This made it possible to gain access to the data in a more reasonable time frame even with AES-256.

 

[Cordel]

Certificate Based dataset encryption.

Certificate based would be the ideal way to go.
Then you have the option of:

1. Adding a password to the Cert would be an option. For those that don't mind the need to enter a password before the partition is mounted.
2. Have the Cert on any non encrypted partition to pass to GELI on boot. No user input required.
3. Using a Certificate Authority Server (this seperates the certs from the server using them, so if seperated on the network, ie the NAS is stolen, unless the cert server is reachable, no decryption.
4. Have the option of a tertiary Cert Authority incase the first is down.

Just my 2 cents.

This would give you the option to boot without user intervention as either having a cert on a partition of either a usb drive, or create a simple cert server available only available to your local subnet. Later would be preferred as say the File Server is stolen, unless they steal and put the cert server online, your stuff is still encrypted. You could even take this further by using trusts.

I believe GELI is capable of this. I could be way off though. Correct me if I'm wrong.